Kiddicare customer data used in dummy site dribbles online

Kiddicare has warned hundreds of thousands of its customers that their names, addresses, e-mail addresses, and phone numbers were stolen after the British baby specialist e-tailer suffered a major data breach blunder.

The company admitted that, in November 2015, it had used real data on a testing site—from where it's understood that miscreants had lifted the info.

Kiddicare said it had been notified of the breach by "a small number of customers" who had received phishing text messages from hackers posing as a subsidiary website of the retailer. At that point, however, the company was unable to pinpoint the source of the leak.

Further Reading

However, the test site wasn't deleted until an unnamed security outfit flagged up the breach to Kiddicare.

"We have since been alerted by a security company with information indicating that data relating to Kiddicare may have been compromised," the company said (PDF). "As a result, we were able to compare a sample set of this data with our own. We were able to match a good proportion of this sample against a dataset used in November 2015 on a test site. […] The test site was deleted immediately."

Kiddicare added that it had reported the cockup to the Information Commissioner’s Office. The company claimed that it had put security upgrades and improvements in place without revealing any further details.

Customers' passwords have apparently been reset, and the company claimed that it hadn't seen any evidence that data had been compromised. It's been reported that 794,000 people were affected by the incident.

"We are very sorry for the potential stress and anxiety this incident may have caused our customers, but we want to reassure everyone that the problem has been fixed," a spokesperson to Kiddicare told Ars.

Security expert Graham Cluley reminded businesses to be more careful with their testing sites. He said:

In principal, there’s nothing really wrong with using real production data on a test environment *if* the test site is properly secured and does not make it easier for hackers to steal information than, say, on the normal, live servers. But it shouldn’t be forgotten that this was a test site, and things are expected to go wrong.

Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites—opening opportunities for data thieves and hackers.

For that reason it’s usually much safer to generate fake data for testing purposes—just in case.

Andrii Degeler
Andrii is a contributing reporter at Ars Technica UK, covering a wide range of topics from policy to hardware and crowdfunding. He holds a master's degree in Journalism from the University of Groningen, the Netherlands. Emailandrii@proceed.to//Twitter@adegeler